[Announce] ANNOUNCE: strongswan-4.5.2 released
Andreas Steffen
andreas.steffen at strongswan.org
Wed May 25 13:17:11 CEST 2011
Hi,
the strongSwan 4.5.2 release offers the following new features:
- The *whitelist* plugin for the IKEv2 daemon maintains an
in-memory identity whitelist. Any connection attempt of peers
not whitelisted will get rejected. The 'ipsec whitelist' utility
provides a simple command line frontend for whitelist administration.
http://wiki.strongswan.org/projects/strongswan/wiki/Whitelist
http://www.strongswan.org/uml/testresults/ikev2/rw-whitelist/
- The *duplicheck* plugin provides a specialized form of duplicate
checking, doing a liveness check on the old SA and optionally notify
a third party application about detected duplicates.
http://wiki.strongswan.org/projects/strongswan/wiki/Duplicheck
- The *coupling* plugin permanently couples two or more devices by
limiting authentication to previously used certificates.
http://wiki.strongswan.org/projects/strongswan/wiki/CertCoupling
- Duncan Salerno contributed the *eap-sim-pcsc* plugin implementing
a pcsc-lite based SIM card backend.
- The *eap-peap3 plugin implements Microsoft's EAP PEAPv0 protocol.
Interoperates successfully with a FreeRADIUS server and Windows 7
Agile VPN clients.
http://www.strongswan.org/uml/testresults/ikev2/rw-eap-peap-mschapv2/
- In the case that the peer config and child config don't have the
same name (usually in SQL database defined connections),
ipsec up|route <peer config>
starts|routes all associated child configs and
ipsec up|route <child config>
only starts|routes the specific child config.
- The IKEv2 daemon charon rereads strongswan.conf on SIGHUP and
instructs all plugins to reload. Currently only the *eap-radius*
and the *attr* plugins support configuration reloading.
- Added userland support to the IKEv2 daemon for Extended Sequence
Numbers support coming with Linux 2.6.39. To enable ESN on a
connection, add the 'esn' keyword to the proposal. The default
proposal uses 32-bit sequence numbers only ('noesn'), and the same
value is used if no ESN mode is specified. To negotiate ESN support
with the peer, include both, e.g.
esp=aes128-sha1-esn-noesn.
- In addition to ESN, Linux 2.6.39 gained support for replay windows
larger than 32 packets. The new global strongswan.conf option
charon.replay_window
configures the size of the replay window, in packets.
- Linux 2.6.38 introduced the AF_ALG Crypto API which makes the
crypto algorithms of the kernel available in userland. We have
created a number of example scenario showing the use of the
*af-alg* plugin for IKEv1
http://www.strongswan.org/uml/testresults/af-alg-ikev1/index.html
and IKEv2
http://www.strongswan.org/uml/testresults/af-alg-ikev2/index.html
An updated overview on strongSwan's crypto options can be found
on our wiki:
http://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites
http://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites
Best regards
Andreas Steffen, Martin Willi, Tobias Brunner
The strongSwan Team
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Announce
mailing list